First, I would like to make it perfectly clear that I am publishing my
twisted and evil method for destroying the internet without any intent
to encourage anyone to actually do it. If in fact anyone does this,
my Ninja Death Squad will be dispatched to hunt you down and make you
watch Powerpuff Girls until you die of cerebral hemmorage.
Part of the art of being a Mad Overlord is that it is quite
enough to know how to wreak chaos and devastation. You
don't actually have to go and do it (it's messy, there are more
fun things to do, and it attracts the unwelcome attentions of the
Forces of Goodness, who are real party-poopers).
Thus, this method is published for three reasons; first, and
most importantly, to impress you with my evil and devious mind;
in the hopes that a certain company whose software will almost
certainly be used in carrying out this attack (if someone is so clueless
as to try it) will get their act together and put some extra effort into
making it more difficult; and finally, in an effort to broadly
disseminate knowledge of the technique so that it can be discussed
and countermeasures developed.
Distributed Denial of Service Attacks
In early 2000 several major sites (such as Yahoo!) were assaulted by
distributed denial of service attacks. These involved a hacker or
hackers gaining control of about 100 computers around the net and
using them to flood the target server(s) with requests, in the hopes
of overloading them. The computers used were "slaves" used to
launch a coordinated attack on the target.
The exact details of these denial of service attacks are
irrelevant to this discussion. What is relevant is that these attacks
are highly assymetric; a small amount of computing and bandwidth
(to generate a bogus request and send it to the target) forces the
target to consume a larger amount of computing and bandwidth to
respond. Thus, each of the slaves can create a load on the target
equivalent to thousands of normal users, and a relatively small number
of slaves can overwhelm even the mightiest site.
Email Viruses
In the last year or so, we've also seen quite a few "email viruses";
malicious emails with embedded scripts or code that could not only
do nasty things on a user's machine (a "trojan horse") but could also
exploit security flaws in email applications, most notably those
created by Microsoft, and send themselves on to everyone in the
victim's address book.
It is important to keep in mind that the reason these viruses
targeted Microsoft applications is not necessarily that Microsoft apps
are more vulnerable than those from other vendors, but that they are
much more common. However, it is also important to keep in mind that
after each virus release incident, patches were made to the applications
involved, sighs of relief were uttered, and the whole cycle repeated
when a new vulnerability was uncovered. Thus, we can have no assurance
that there are no as yet undiscovered security problems with these
programs.
Put them together and it's adios Internet
Now consider the following hypothetical email virus. The carrier
part of the virus exploits a new security hole in a popular email
application to email itself to everyone in the victim's address
book. But it also installs a trojan horse into the victim's computer,
which in it's simplest and most insidious form is what I call an
Autonomous Random Denial of Service Robot.
This little chunk of code simply picks urls from major websites
at random from a list (or creates them by looking at email addresses from
the email application), and makes http requests. It doesn't need to
execute any of the fancy denial of service techniques (though it could
if it wanted). It just waits until the computer is connected to
the internet, and then, as unobtrusively as possible, uses all the extra
bandwidth that the user isn't using to pester the
target websites.
If 100 slave computers could overwhelm some of the major sites
on the internet, think about what 100,000 machines could do,
even if their attack technique was not very sophisticated. In fact,
if they just acted like regular browsers and requested homepages,
the targets would have little clue that they are being attacked apart
from the crippling surge of traffic generated. Such an attack would
be very difficult to detect let alone defend against.
